RE: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]

[Van Aken Dirk <VanAkenD@thmulti.com>]

Hi Scott,

You are correct that RADIUS is well entrenched in the ISP world.
Basically what it does is perform user authentication and depending on the
user profile, assigns a specific address to the user. This address comes
from a pool either managed by the RADIUS server itself or from a DHCP server
that is collocated with the RADIUS server.

Without RADIUS, the Access Servers must perform the user authentication
because protocols such as PPP are link layer (unless tunnelled in
L2TP/L2F/PPTP). Offloading this part of Access Servers is logical because
Access Servers are dedicated hardware devices. In addition a Service
Provider who has customers at different ISP's can centralize it's user
authentication service. Of course IP addresses still must come from the
individual ISP's pools in order to fit in the Internet routing structure.

However I'm intrigued how VPN fits into this scenario ? i.e. Am I going to
set-up a VPN session with my ISP ? In that way my traffic is encrypted
between me and the ISP but how does it travel from there ? Over an MPLS
cloud or is a new VPN tunnel set up to my corporate ? Additionally the
Virtual IP address that is assigned to the VPN client must belong to my
corporate LAN so is the ISP's RADIUS server going to manage an address pool
carved out of my corporate LAN address space ?

BTW, RADUIS has strong links with PPP and as said before, the IKEModeCFG
attributes have sticking resemblance with PPP hence  shares its limitations
...

Best regards - Dirk

> -----Original Message-----
> From: Scott Fanning [mailto:sfanning@cisco.com]
> Sent: donderdag 6 februari 2003 3:32
> To: Scott G. Kelly; ddukes@cisco.com
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Sensationalism? [was Re: FW: Man in the middle attack
> against RFC3456.]
> 
> 
> In actuality, most service providers use RADIUS as a server to get ip
> address, so how does DHCP fit in that (+ many other service provider
> specific attributes)? Do we have to now translate between 
> DHCP and RADIUS?
> DHCP is not the only way to get addresses, but mode config allows the
> security GW to be flexible on how ip addresses are acquired.
> 
> I also vote against the special SA. Having to create an SA, 
> then to find out
> that the ip address pool is exhausted, seems like alot of 
> state to deal
> with.
> 
> As for inside attacks, maybe you should talk to "security" 
> experts who seem
> to indicate that 59% of attacks are from the inside of the network.
> 
> "In the 2002 CPI/FBI survey, for instance, 59 percent of organizations
> surveyed admitted to at least one internal attack."
> 
> Yeah, the RADIUS server is vulnerable too, but at least you 
> don't waste QM
> mode.
> 
> Anyway, my two cents. I am sure you will shoot it down. This is a good
> debate. Too bad it was not this vigorous during the 
> standardization process.
> Oh yes, it was, but it was out of scope, out of charter.
> 
> Scott
> ----- Original Message -----
> From: "Scott G. Kelly" <scott@bstormnetworks.com>
> To: <ddukes@cisco.com>
> Cc: <ipsec@lists.tislabs.com>
> Sent: Wednesday, February 05, 2003 11:51 AM
> Subject: Sensationalism? [was Re: FW: Man in the middle attack against
> RFC3456.]
> 
> 
> > Come on, Darren - you must be joking. What you describe is 
> not an attack
> > against RFC3456 - it's an attack against DHCP/BOOTP, and 
> this is nothing
> > new. If you run DHCP on your network and you have malicious 
> insiders,
> > they can do all sorts of things. The same applies for most other
> > commonly run lan protocols. And since you've already conceded that a
> > scalable modecfg implementation will be running dhcp on the backend,
> > what is the point of this post?
> >
> > Let's stick with arguments with technical merit.
> >
> > Scott
> >
> > Darren Dukes wrote:
> > >
> > > Amendment:
> > > Eve sends the DHCPACK to the DHCP-relay (not the IRAC) with a
> manufactured
> > > DHCP Relay Agent Information Option or one copied from a 
> previous DHCP
> > > message.
> > >
> > > > -----Original Message-----
> > > > From: Darren Dukes [mailto:ddukes@cisco.com]
> > > > Sent: Wednesday, February 05, 2003 12:10 PM
> > > > To: ipsec@lists.tislabs.com
> > > > Subject: Man in the middle attack against RFC3456.
> > > >
> > > >
> > > > There is a man in the middle attack on the DHCP-relay 
> in RFC3456.
> > > > This attack is based on the thread defined in RFC3118
> > > > (DHCP-AUTH).  In this case Eve is inside the LAN and able to
> > > > source DHCPACK packets, if Eve sends a DHCPACK to a an 
> IRAC via a
> > > > SGW implementing RFC3456 the DHCP-relay on the SGW will plumb a
> > > > new route for whatever address Eve puts in yiaddr.
> > > >
> > > >                |-Eve
> > > > IRAC ---- SGW -|
> > > >                |-DHCP Server
> > > >
> > > > excerpt from RFC3456:
> > > >    To learn the internal IP address of the client in 
> order to route
> > > >    packets to it, the security gateway will typically 
> snoop the yiaddr
> > > >    field within the DHCPACK and plumb a corresponding 
> route as part of
> > > >    DHCP Relay processing.
> > > >
> > > > This attack is not resolved by the implementation of RFC3118
> > > > unless the following changes are made to the DHCP-relay.
> > > > 1 - It stored a copy of all secret keys contained on the
> > > > DHCP-server and used them to authenticate DHCPACKs or 
> it stored a
> > > > copy of the master key and used that to generate the client keys
> > > > as described in RFC3118 Appendix A.
> > > > 2 - DHCP-relay implements the DHCP-server replay protection.
> > > >
> > > >
> > > > Darren
> > > >
> >
>